2026-02-10 00:37:00 +08:00 · 2013-03-02 15:32:51 +01:00
parent 9900ff6060
commit 62392660cd
9 changed files with 61 additions and 26 deletions
							
							
								
							
							
						
@@ -3,6 +3,9 @@
/* Define if building universal (internal helper macro) */
#undef AC_APPLE_UNIVERSAL_BUILD
/* Enable Anyconnect compatibility */
#undef ANYCONNECT_CLIENT_COMPAT
/* Define to the number of bits in type 'ptrdiff_t'. */
#undef BITSIZEOF_PTRDIFF_T
							
								
							
							
							
						
 
							
							
								
							
							
						
@@ -96,6 +96,14 @@ else
fi
fi
AC_ARG_ENABLE(anyconnect-compat,
  AS_HELP_STRING([--enable-anyconnect-compat], [enable Anyconnect client compatibility (experimental)]),
    anyconnect_enabled=$enableval, anyconnect_enabled=no)
if [ test "$anyconnect_enabled" = "yes" ];then
	AC_DEFINE([ANYCONNECT_CLIENT_COMPAT], [], [Enable Anyconnect compatibility])
fi
enable_local_libopts=yes
NEED_LIBOPTS_DIR=true
LIBOPTS_CHECK([libopts])
							
							
							
								
							
						
@@ -111,14 +119,16 @@ AC_OUTPUT
AC_MSG_NOTICE([summary of build options:
  version:          ${VERSION}
  Host type:        ${host}
  Install prefix:   ${prefix}
  Compiler:         ${CC}
  CFlags:           ${CFLAGS}
  GDBM backend:     ${gdbm_enabled}
  PAM backend:      ${pam_enabled}
  TCP wrappers:     ${libwrap_enabled}
  seccomp:          ${seccomp_enabled}
  version:                ${VERSION}
  Host type:              ${host}
  Install prefix:         ${prefix}
  Compiler:               ${CC}
  CFlags:                 ${CFLAGS}
  GDBM backend:           ${gdbm_enabled}
  PAM backend:            ${pam_enabled}
  TCP wrappers:           ${libwrap_enabled}
  seccomp (experimental): ${seccomp_enabled}
  Anyconnect compat:      ${anyconnect_enabled}
])
							
							
							
						
 
							
							
								
							
							
						
@@ -147,7 +147,9 @@ unsigned j;
	READ_STRING("server-key", config->key, 1);
	READ_STRING("pin-file", config->pin_file, 0);
	READ_STRING("srk-pin-file", config->srk_pin_file, 0);
#ifdef ANYCONNECT_CLIENT_COMPAT
	READ_STRING("user-profile", config->xml_config_file, 0);
#endif
	READ_STRING("ca-cert", config->ca, 0);
	READ_STRING("crl", config->crl, 0);
							
								
							
							
								
							
							
						
@@ -235,9 +237,6 @@ static void check_cfg( struct cfg_st *config)
		exit(1);
	}
	if (config->cert) {
		config->cert_hash = calc_sha1_hash(config->cert, 1);
	}
	
	if (config->auth_types & AUTH_TYPE_CERTIFICATE) {
		if (config->force_cert_auth)
							
							
							
								
							
						
@@ -246,6 +245,11 @@ static void check_cfg( struct cfg_st *config)
			config->cert_req = GNUTLS_CERT_REQUEST;
	}
#ifdef ANYCONNECT_CLIENT_COMPAT
	if (config->cert) {
		config->cert_hash = calc_sha1_hash(config->cert, 1);
	}
	if (config->xml_config_file) {
		config->xml_config_hash = calc_sha1_hash(config->xml_config_file, 0);
		if (config->xml_config_hash == NULL && config->chroot_dir != NULL) {
							
							
							
								
							
						
@@ -264,6 +268,7 @@ static void check_cfg( struct cfg_st *config)
			exit(1);
		}
	}
#endif
	
	if (config->keepalive == 0)
		config->keepalive = 3600;
							
								
							
							
								
							
							
						
@@ -314,9 +319,11 @@ void reload_cfg_file(struct cfg_st* config)
{
unsigned i;
#ifdef ANYCONNECT_CLIENT_COMPAT
	DEL(config->xml_config_file);
	DEL(config->xml_config_hash);
	DEL(config->cert_hash);
#endif
	DEL(config->banner);
	DEL(config->name);
	DEL(config->cert);
							
								
							
							
							
						
 
							
							
								
							
							
						
@@ -2,7 +2,7 @@
 *  
 *  DO NOT EDIT THIS FILE   (ocserv-args.c)
 *  
 *  It has been AutoGen-ed  March  1, 2013 at 09:44:33 PM by AutoGen 5.16
 *  It has been AutoGen-ed  March  2, 2013 at 03:35:07 PM by AutoGen 5.16
 *  From the definitions    ocserv-args.def
 *  and the template file   options
 *
							
								
							
							
							
						
 
							
							
								
							
							
						
@@ -82,17 +82,6 @@ auth = "pam"
# A banner to be displayed on clients
#banner = "Welcome"
# Client profile xml. A sample file exists in doc/profile.xml.
# This file must be accessible from inside the worker's chroot. 
# It is not used by the openconnect client.
#user-profile = /path/to/file.xml
# Unless set to false it is required for clients to present their
# certificate even if they are authenticating via a previously granted
# cookie. Legacy CISCO clients do not do that, and thus this option
# should be set for them.
#always-require-cert = false
# Use listen-host to limit to specific IPs or to the IPs of a provided hostname.
#listen-host = [IP|HOSTNAME]
							
								
							
							
								
							
							
						
@@ -219,6 +208,23 @@ ipv4-dns = local
route = 192.168.1.0/255.255.255.0
route = 192.168.5.0/255.255.255.0
#
# The following options are for (experimental) AnyConnect client compatibility.
# They are available if the server is built with --enable-anyconnect
#
# Client profile xml. A sample file exists in doc/profile.xml.
# This file must be accessible from inside the worker's chroot. 
# It is not used by the openconnect client.
#user-profile = /path/to/file.xml
# Unless set to false it is required for clients to present their
# certificate even if they are authenticating via a previously granted
# cookie. Legacy CISCO clients do not do that, and thus this option
# should be set for them.
#always-require-cert = false
@end example
_EOT_;
							
								
							
							
							
						
 
							
							
								
							
							
						
@@ -2,7 +2,7 @@
 *  
 *  DO NOT EDIT THIS FILE   (ocserv-args.h)
 *  
 *  It has been AutoGen-ed  March  1, 2013 at 09:44:33 PM by AutoGen 5.16
 *  It has been AutoGen-ed  March  2, 2013 at 03:35:07 PM by AutoGen 5.16
 *  From the definitions    ocserv-args.def
 *  and the template file   options
 *
							
								
							
							
							
						
 
							
							
								
							
							
						
@@ -60,7 +60,6 @@ struct cfg_st {
	char *pin_file;
	char *srk_pin_file;
	char *cert;
	char *cert_hash;
	char *key;
	char *ca;
							
								
							
							
								
							
							
						
@@ -91,8 +90,11 @@ struct cfg_st {
	char *connect_script;
	char *disconnect_script;
#ifdef ANYCONNECT_CLIENT_COMPAT
	char *xml_config_file;
	char *xml_config_hash;
	char *cert_hash;
#endif
	uid_t uid;
	gid_t gid;
							
								
							
							
							
						
 
							
							
								
							
							
						
@@ -403,11 +403,13 @@ char msg[MAX_BANNER_SIZE+32];
	if (ret < 0)
		return -1;
#ifdef ANYCONNECT_CLIENT_COMPAT
	if (ws->config->xml_config_file) {
		ret = tls_printf(ws->session, "Set-Cookie: webvpnc=bu:/&p:t&iu:1/&sh:%s&lu:/+CSCOT+/translation-table?textdomain%%3DAnyConnect%%26type%%3Dmanifest&fu:profiles%%2Fprofile.xml&fh:%s\r\n", ws->config->cert_hash,ws->config->xml_config_hash);
		if (ret < 0)
			return -1;
	}
#endif
	ret = tls_printf(ws->session, "\r\n"SUCCESS_MSG_HEAD"%s"SUCCESS_MSG_FOOT, msg);
	if (ret < 0)
							
								
							
							
							
						
 
							
							
								
							
							
						
@@ -86,6 +86,7 @@ struct known_urls_st {
	url_handler_fn post_handler;
};
#ifdef ANYCONNECT_CLIENT_COMPAT
int get_config_handler(worker_st *ws, unsigned http_ver)
{
int ret;
							
								
							
							
								
							
							
						
@@ -183,12 +184,16 @@ int ret;
	return 0;
}
#endif
#define LL(x,y,z) {x, sizeof(x)-1, y, z}
struct known_urls_st known_urls[] = {
		LL("/", get_auth_handler, post_new_auth_handler),
		LL("/auth", get_auth_handler, post_old_auth_handler),
#ifdef ANYCONNECT_CLIENT_COMPAT
		LL("/profiles", get_config_handler, NULL),
		LL("/+CSCOT+/translation-table", get_cscot_handler, NULL),
#endif
		{NULL, 0, NULL, NULL}
};